CVE-2024-8660: Stored XSS in the "Top Navigator Bar" block

First published: Tue Sep 17 2024(Updated: )

Concrete CMS versions 9.0.0 through 9.3.3 are affected by a stored XSS vulnerability in the "Top Navigator Bar" block. Since the "Top Navigator Bar" output was not sufficiently sanitized, a rogue administrator could add a malicious payload that could be executed when targeted users visited the home page.The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N . This does not affect versions below 9.0.0 since they do not have the Top Navigator Bar Block. Thanks, Chu Quoc Khanh for reporting.

Credit: ff5b8ace-8b95-4078-9743-eac1ca5451de ff5b8ace-8b95-4078-9743-eac1ca5451de

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/weakness
• agent/title
• agent/type
• agent/first-publish-date
• collector/github-advisory-latest
• source/GitHub
• alias/GHSA-998c-q8hh-h8gv
• alias/CVE-2024-8660
• agent/software-canonical-lookup
• agent/references
• agent/description
• agent/event
• agent/author
• collector/mitre-cve
• source/MITRE
• collector/nvd-cve
• source/NVD
• collector/epss-latest
• source/FIRST
• agent/epss
• collector/github-advisory
• collector/nvd-api
• agent/last-modified-date
• agent/severity
• agent/softwarecombine
• agent/remedy
• agent/tags
• package-manager/composer
• vendor/concretecms
• canonical/concretecms concrete cms
• version/concretecms concrete cms/9.0.0